/* * Copyright (C) 2008-2020, Juick * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License as * published by the Free Software Foundation, either version 3 of the * License, or (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License * along with this program. If not, see . */ package com.juick.config; import com.juick.KeystoreManager; import com.juick.SignatureManager; import com.juick.service.UserService; import com.juick.service.security.BearerTokenAuthenticationFilter; import com.juick.service.security.HTTPSignatureAuthenticationFilter; import com.juick.service.security.HashParamAuthenticationFilter; import com.juick.service.security.JuickUserDetailsService; import com.juick.service.security.entities.JuickUser; import org.springframework.beans.factory.annotation.Value; import org.springframework.context.annotation.Bean; import org.springframework.context.annotation.Configuration; import org.springframework.http.HttpMethod; import org.springframework.security.config.annotation.web.builders.HttpSecurity; import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity; import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer; import org.springframework.security.config.http.SessionCreationPolicy; import org.springframework.security.core.userdetails.UserDetailsService; import org.springframework.security.web.AuthenticationEntryPoint; import org.springframework.security.web.SecurityFilterChain; import org.springframework.security.web.authentication.AuthenticationSuccessHandler; import org.springframework.security.web.authentication.RememberMeServices; import org.springframework.security.web.authentication.SimpleUrlAuthenticationSuccessHandler; import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices; import org.springframework.security.web.authentication.www.BasicAuthenticationEntryPoint; import org.springframework.security.web.authentication.www.BasicAuthenticationFilter; import org.springframework.security.web.util.matcher.AntPathRequestMatcher; import org.springframework.web.cors.CorsConfiguration; import org.springframework.web.cors.CorsConfigurationSource; import org.springframework.web.cors.UrlBasedCorsConfigurationSource; import javax.inject.Inject; import java.util.Arrays; import java.util.Collections; /** * Created by aalexeev on 11/21/16. */ @EnableWebSecurity @Configuration public class SecurityConfig { @Inject private UserService userService; @Inject private KeystoreManager keystoreManager; private static final String COOKIE_NAME = "juick-remember-me"; @Bean UserDetailsService userDetailsService() { return new JuickUserDetailsService(userService); } @Bean CorsConfigurationSource corsConfigurationSource() { CorsConfiguration configuration = new CorsConfiguration(); configuration.setAllowedOrigins(Collections.singletonList("*")); configuration.setAllowedMethods(Arrays.asList("POST", "GET", "PUT", "OPTIONS", "DELETE")); configuration.setAllowedHeaders(Collections.singletonList("*")); UrlBasedCorsConfigurationSource source = new UrlBasedCorsConfigurationSource(); source.registerCorsConfiguration("/api/**", configuration); source.registerCorsConfiguration("/u/**", configuration); source.registerCorsConfiguration("/n/**", configuration); return source; } @Inject private SignatureManager signatureManager; @Bean HashParamAuthenticationFilter apiAuthenticationFilter() { return new HashParamAuthenticationFilter(userService, null); } @Bean AuthenticationEntryPoint apiAuthenticationEntryPoint() { var entryPoint = new BasicAuthenticationEntryPoint(); entryPoint.setRealmName("Juick"); return entryPoint; } @Value("${auth_remember_me_key:secret}") private String rememberMeKey; @Value("${web_domain:localhost}") private String webDomain; @Bean HashParamAuthenticationFilter wwwAuthenticationFilter() { return new HashParamAuthenticationFilter(userService, hashCookieServices()); } @Bean BearerTokenAuthenticationFilter bearerTokenAuthenticationFilter() { return new BearerTokenAuthenticationFilter(userService, keystoreManager.getKeyPair()); } @Bean RememberMeServices hashCookieServices() { TokenBasedRememberMeServices services = new TokenBasedRememberMeServices( rememberMeKey, userDetailsService()); services.setCookieName(COOKIE_NAME); services.setCookieDomain(webDomain); services.setAlwaysRemember(true); services.setTokenValiditySeconds(6 * 30 * 24 * 3600); services.setUseSecureCookie(false); // TODO set true if https is supports return services; } @Bean SecurityFilterChain apiChain(HttpSecurity http) throws Exception { http.securityMatcher("/api/**") .addFilterBefore(apiAuthenticationFilter(), BasicAuthenticationFilter.class) .addFilterBefore(new HTTPSignatureAuthenticationFilter(signatureManager, userService), BasicAuthenticationFilter.class) .addFilterBefore(bearerTokenAuthenticationFilter(), BasicAuthenticationFilter.class) .authorizeHttpRequests(requests -> requests .requestMatchers(HttpMethod.OPTIONS).permitAll() .requestMatchers("/api/", "/api/messages", "/api/avatar", "/api/messages/discussions", "/api/users", "/api/thread", "/api/tags", "/api/tlgmbtwbhk", "/api/fbwbhk", "/api/skypebotendpoint", "/api/_fblogin", "/api/_vklogin", "/api/_tglogin", "/api/_google", "/api/_applelogin", "/api/signup", "/api/inbox", "/api/events", "/api/u/", "/api/info/**", "/api/nodeinfo/2.0") .permitAll() .anyRequest().hasRole("USER")) .anonymous(anonymous -> anonymous.principal(JuickUser.ANONYMOUS_USER) .authorities(JuickUser.ANONYMOUS_AUTHORITY)) .httpBasic(httpBasic -> httpBasic .authenticationEntryPoint(apiAuthenticationEntryPoint())) .cors(cors -> cors.configurationSource(corsConfigurationSource())) .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) .csrf().disable() .headers().defaultsDisabled().cacheControl(); return http.build(); } @Bean AuthenticationSuccessHandler successHandler() { SimpleUrlAuthenticationSuccessHandler handler = new SimpleUrlAuthenticationSuccessHandler(); handler.setUseReferer(true); return handler; } @Bean SecurityFilterChain h2ConsoFilterChain(HttpSecurity http) throws Exception { http.securityMatcher("/h2-console/**") .authorizeHttpRequests(auth -> auth .anyRequest().permitAll()) .anonymous(anonymous -> anonymous.principal(JuickUser.ANONYMOUS_USER) .authorities(JuickUser.ANONYMOUS_AUTHORITY)) .csrf().disable() .sessionManagement(sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .exceptionHandling(exceptionHandling -> exceptionHandling .authenticationEntryPoint(apiAuthenticationEntryPoint())) .headers().defaultsDisabled().cacheControl(); return http.build(); } @Bean SecurityFilterChain wwwChain(HttpSecurity http) throws Exception { http.addFilterBefore(wwwAuthenticationFilter(), BasicAuthenticationFilter.class) .authorizeHttpRequests(authorize -> authorize .requestMatchers("/settings", "/pm/**", "/**/bl", "/_twitter", "/post", "/post2", "/comment") .authenticated() .requestMatchers("/actuator/**").hasRole("ADMIN") .anyRequest().permitAll()) .anonymous(anonymous -> anonymous.principal(JuickUser.ANONYMOUS_USER) .authorities(JuickUser.ANONYMOUS_AUTHORITY)) .cors(cors -> cors .configurationSource(corsConfigurationSource())) .sessionManagement( sessionManagement -> sessionManagement .sessionCreationPolicy(SessionCreationPolicy.STATELESS)) .logout(logout -> logout .logoutRequestMatcher(new AntPathRequestMatcher("/logout")) .invalidateHttpSession(true) .logoutSuccessUrl("/") .deleteCookies("hash", COOKIE_NAME)) .formLogin(form -> form.loginPage("/login") .usernameParameter("username") .passwordParameter("password") .successHandler(successHandler()) .failureUrl("/login?error=1") .permitAll()) .csrf(AbstractHttpConfigurer::disable) .rememberMe(rememberMe -> rememberMe .rememberMeCookieDomain(webDomain).key(rememberMeKey) .rememberMeServices(hashCookieServices())) .headers().defaultsDisabled().cacheControl(); return http.build(); } }